Monetize DPA

Schedule 1 – Monetize Data Privacy Addendum

 

This Data Privacy Addendum (“Addendum“) forms part of Monetize International – SDK License and Publisher Terms in place between Vungle SEA Pte. Ltd. (“Liftoff”) and the company identified as the “Developer” in the Agreement.  Capitalized terms used in this Addendum shall have the same meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum. These Addendum terms shall only apply to the extent a Party processes Personal Data protected by Data Protection Laws under or in connection with this Agreement which incorporates these Addendum terms by reference.

 

IT IS AGREED:

1.          Definitions:

Ad Data” has the meaning given to it in Section 2 of this Addendum.

 

Controller” means the entity that determines the purposes and means of the processing of Personal Data.

 

Demand Partners” means Liftoff’s media buying clients, including but not limited to Advertisers and attribution partners, demand side platforms, ad exchanges, agencies, agency trading desks and ad networks who submit “bids” for Liftoff Ad inventory.

 

Data Protection Laws” means all data protection and privacy laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including, including (a) EU Regulation 2016/679 (“GDPR“); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA“); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time;

 

EEA” means for the purposes of this Addendum, the European Economic Area .

 

“Ex-EEA Transfer” means a transfer of Personal Data subject to GDPR by a Party, to a Party (or its premises) in a Restricted Country;

 

“Ex-UK Transfer” means a transfer of Personal Data subject to UK GDPR by a Party, to a Party (or its premises) in a Restricted Country;

 

Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined in applicable Data Protection Laws.

 

“Restricted Country” means (a) any country outside the UK or EEA which is not deemed adequate by (for Personal Data subject to GDPR) the European Commission pursuant to article 45 of GDPR or by (for Personal Data subject to UK GDPR) the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA.

 

“Standard Contractual Clauses” means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf, as applicable in accordance with this Addendum (and for these purposes, the provision relating to Modules 2, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time.

 

Tracking Technologies” means mobile SDKs, unique identifiers, pixels, and similar tracking technologies.

 

UK” means the United Kingdom.

 

UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO“) from time to time (including as formally issued by the ICO under section 119A(1) DPA).

 

Privacy Notice” means the privacy notice available (the latest version of which is available here: http://vungle.com/privacy), as updated from time to time.

 

data subject“, “processing” (and “process“) shall have the meanings given to them in Data Protection Laws.

 

2.          Scope of Processing:

2.1.               Developer acknowledges and agrees that in connection with the Monetize Platform and Vungle SDK: (i) Liftoff may collect or otherwise receive data (including Personal Data) relating to end users of the Developer Apps (such as App Data), including unique device identifiers, log information, as well as usage data (such as Performance Data), including information about ads viewed or clicked, post-install data, geo-location of an end user’s device (as may be enabled by the Developer App) and streaming data, all as more particularly described in the Privacy Notice (collectively “Ad Data“); and (ii) Liftoff and its Demand Partners use Tracking Technologies to collect certain Ad Data.

 

2.2.               Developer grants Liftoff a perpetual, irrevocable, worldwide, sublicenseable right and license to use, copy, modify, distribute and otherwise  process Ad Data for the following purposes: (a) accessing or calling the Developer Apps, or the servers that make them available, to cause the routing, serving, displaying, targeting, and tracking the performance of Liftoff Ads on the Developer Apps; (b) building and storing profiles of end users; (c) using Ad Data for Liftoffs internal business purposes, including to develop and improve the Vungle SDK and Monetize Platform; (d) for any other purposes identified in the Privacy Notice; and (e) disclosing Ad Data (i) to third parties (including Demand Partners) as reasonably necessary to operate the Monetize Platform, (ii) if required by any court order, process, law or governmental agency; and/or (iii) generally when it is aggregated, such that the specific information relating to Developer or any underlying end user is not directly identifiable  (“Permitted Purposes“).

 

3.          Relationship of the Parties.

To the extent Ad Data contains Personal Data, Liftoff shall process such data as a Controller (where applicable Data Protection Laws recognize such concept) and only for the Permitted Purposes. Nothing in the Agreement (including this Addendum) shall limit or prevent Liftoff from collecting or using data that Liftoff would otherwise collect and process independently of Developer’s use of the Monetize Platform and Vungle SDK.

 

4.          Developer’s Responsibilities:

4.1.           Notice Requirements.

(a)                 Developer represents and warrants that it shall conspicuously post, maintain, and abide by a publicly accessible privacy notice within the Developer App that satisfies the transparency and information requirements of the Data Protection Laws and this Addendum. If notice cannot be provided in or around Liftoff Ads, then Developer should make arrangements to provide notice within the Developer App or on the landing page of the Liftoff Ad.

 

(b)                 Without prejudice to the generality of the foregoing, such notice shall, at a minimum, include the following: (i) the fact that Liftoff and its Demand Partner’s use Tracking Technology to collect use and share Ad Data; (ii) a conspicuous  link to or description of how and where end users can opt-out of collection and use of their information for ad targeting, including a link to the Liftoff opt-out (https://vungle.com/opt-out/); (iii) a description of the types of Ad Data that are collected and how and for what purposes the Ad Data will be used or transferred to third parties, including the fact that third parties may process Ad Data to provide measurement services and targeted ads; and (v) where EU Data Protection Law applies, the identity of the Controller(s) of Ad Data.

 

4.2.                Notice and Consent.  Developer represents and warrants it has provided (and shall maintain) all required notices and obtained all necessary permissions and consents in accordance with the Data Protection Laws from the relevant data subjects (including any parental consent required by applicable Data Protection Laws) on behalf of Liftoff and all applicable Demand Partners to lawfully permit: (a) Liftoff and all applicable Demand Partners to collect, process and share Ad Data for the Permitted Purposes; and (b) deploy Tracking Technologies in order to collect Ad Data from the devices of end users served with Liftoff Ads.

 

4.3.               Consent Mechanism.  Where consent is the lawful basis for processing Personal Data collected via Developer Apps by either party and/or where consent is required for the use of Tracking Technologies pursuant to Data Protection Laws, Developer represents and warrants that it shall, at all times, make available, maintain and make operational on the Developer Apps: (i) a mechanism for obtaining such consent from data subjects in accordance with the requirements of the Data Protection Laws; and (ii) a mechanism for data subjects to withdraw such consent (opt-out) in accordance with the Data Protection Laws.

 

4.4.               Consent Records.  Developer shall maintain a record of all consents obtained pursuant to Section 4.3 (above) from data subjects as required by the Data Protection Laws, including the time and date on which consent was obtained, the information presented to data subjects in connection with their giving consent, and details of the mechanism used to obtain consent. Developer shall maintain a record of the same information in relation to all withdrawals of consent by data subjects. Developer shall make these records available to Liftoff promptly upon request.

 

4.5.               Non-compliance. If Developer is unable to comply with its notice and consent obligations under this Addendum, Developer shall promptly notify Liftoff and Liftoff may elect to perform any one or all of the obligations provided Developer does not prevent Liftoff from performing such obligations. In the event neither party is able to perform such obligations, Liftoff shall have the right to terminate the Agreement without liability upon written notice.

 

4.6.               Prohibited Data Sharing.  Developer shall not: (i) share with Liftoff any Personal Data that allows users of Developer Apps to be directly identified (for example, by reference to their name or email address); and (ii) pass to Liftoff any personal data of children (as such term is defined under applicable Data Protection Laws), unless expressly agreed in writing and as permitted under Data Protection Laws. Upon request, Liftoff shall provide Developer with such reasonable assistance as Developer may require to enable Developer to provide such notice and obtain such consents.

 

5.          Co-operation and Data Subject Rights.

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) to enable the other to comply with its obligations under the Data Protection Laws, specifically in order to enable the other to respond to: (i) any request from a data subject to exercise any of its rights under EU Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Ad Data (“Data Subject Rights“); and (ii) any other correspondence, inquiry, or complaint received from a data subject, regulator or other third party in connection with the processing of the Ad Data. Each party shall promptly inform the other if it receives any request directly from a data subject to exercise a Data Subject Right in relation to the Ad Data. Subject to obligations of confidentiality and polices on disclosure of information, where a party has a concern that the other party has not complied with this Addendum, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.

 

6.          International Transfers.

6.1.        Neither party shall process any Personal Data, or transfer the Personal Data (nor permit any Personal Data to be processed) in connection with the Agreement to any Restricted Country unless it has taken such measures as are necessary to ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with Data Protection Laws when it is transferred or accessed in a Restricted Country. Such adequate protection and appropriate safeguards may include entering into the Standard Contractual Clauses and/or UK Addendum.

6.2.         The Parties agree that in the event of an ex-EEA Transfer, the transferring party shall comply with the data exporter’s obligations in the Standard Contractual Clauses and the receiving party shall comply with the data importer’s obligations in the Standard Contractual Clauses, and the Standard Contractual Clauses are deemed to have been executed by the Parties and incorporated into (and form part of) this Addendum, with the following amendments:

6.2.1.   Clause 7 (docking clause) of the Standard Contractual Clauses shall be included;

6.2.2.   the governing law for the purposes of Clause 17 (governing law) of the Standard    Contractual Clauses shall be the law of Ireland;

6.2.3.   the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the Standard Contractual Clauses shall be the courts of Ireland;

6.2.4.   Annexes IA, IB and IC to the Standard Contractual Clauses shall be deemed to have been completed with the information in the Exhibit A-1 to this Exhibit A;

6.2.5.   Annex II to the Standard Contractual Clauses shall be deemed to have been completed with the information in the Exhibit A-2 to this Exhibit A.

6.3.        The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the Standard Contractual Clauses as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:

6.3.1.   Table 1 shall be deemed completed with the information from the Exhibit A-1 to this Exhibit A, and the start date shall be the Effective Date of this  Addendum;

6.3.2.   In Table 2, the first option shall be selected and the relevant version of the ” Approved EU SCCs ” referenced in that option shall be the Standard Contractual Clauses referenced in Clause 6.2 above (as amended in accordance with Clause 6.2);

6.3.3.   Table 3 shall be deemed completed with the information from the Exhibit A-1 to this Exhibit A and the Exhibit A-2 to this Exhibit A;

6.3.4.   Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and

6.3.5.        The transferring Party shall comply with the data exporter’s obligations in the UK Addendum and the receiving Party shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.

 

7.          Miscellaneous:

7.1.               Liftoff reserves the right to modify, suspend or terminate the Agreement should Developer violate this Addendum.

 

7.2.               This Addendum shall survive termination or expiry of the Agreement.  Upon termination or expiry of the Agreement, Liftoff may continue to process the Ad Data provided that such processing complies with the requirements of this Addendum.

 

7.3.               Notwithstanding anything to the contrary in the Agreement and without prejudice to Section 2 above, Liftoff may periodically make modifications to this Addendum as may be required to comply with the Data Protection Laws.

Schedule 1 – Appendix A

Description of the Transfer 

Defined terms are as set out in the Data Processing Addendum (“Addendum”) agreed between the parties.

Annex 1(A) List of Parties:

Data Exporter

Data Importer

Name: Developer, as identified in this Addendum,

Name: Vungle SEA PTE Ltd. (“Liftoff”)

Address:  As identified in the Agreement.

Address:  6 Shenton Way #38-01 OUE Downtown 1 Singapore 068809

Official registration number (if any):

Official registration number (if any):I

Contact Person’s Name, position and contact details: As identified in the Agreement

Contact Person’s Name, position and contact details: [email protected].

Activities relevant to the transfer:  See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below

Signature and Date:  By signing this Addendum, the parties are deemed to have executed the Standard Contractual Clauses.

Role: Controller

Role: Controller

Annex 1(B) Description of transfer:

Description

Categories of data subjects whose personal data is transferred:

·           End users of the Developer Apps or end users viewing ads delivered to the Developer Apps (“End Users“).

·           Developer employees and other personnel authorized to use the Monetize Platform (“Developer Users“)

Categories of personal data transferred:

End Users

·           Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·           Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·           User agent or such device information.

·           Behavioral data:

Developer Users

Contact details (name, email, telephone) and professional details (role)

Sensitive data transferred:

None.

If sensitive data, the applied restrictions or safeguards

N/A

Frequency of the transfer:

Continuous

Nature, subject matter and duration of processing:

Processing of Personal Data to provide the Liftoff Services pursuant to the Agreement. The subject matter of the processing is the Personal Data described in this Annex.

Purpose(s) of the data transfer and further processing:

End Users: For the Permitted Purposes (as defined in the Addendum).

Developer Users: For business relationship, marketing and account management purposes.

Retention period (or, if not possible to determine, the criteria used to determine that period):

Liftoff will not retain the personal data for longer than the period during which Liftoff has a legitimate need to retain the personal data for purposes it was collected or transferred in accordance with the Addendum.

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the New SCCs

The competent supervisory authority shall be determined in accordance with GDPR.

 

 

Schedule 1 – Appendix B

Technical and Organizational Security Measure

 

Introduction

Each party employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.

Governance and Policies

Each party assigns personnel with responsibility for the determination, review and implementation of security polices and measures.

Each party:

●         has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;

●         reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.

Each party establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.

Breach response

Each party has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated no less than once per year.

Intrusion, anti-virus and anti-malware defences

Each party’s IT systems used to process personal data have appropriate data security measures, including: (a) physical access controls; (b) remote access control includes firewalls on the internal network; (c) user access is logged and monitored for unusual and unauthorized access; (d) threat assessment and vulnerability scanning; (e) data is encrypted at rest.

Access controls

Each party limits access to personal data by implementing appropriate access controls, including: (a) limiting administrative access privileges and use of administrative accounts; (b) changing all default passwords before deploying operating systems, assets or applications; (c) requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems); (d) only permitting user access to personal data which the user needs to access for their job role or otherwise limited to the purpose for which they are given access (i.e. Service Provider implements measures to ensure least privilege access to IT systems); (e) appropriate procedures for controlling the allocation and revocation of personal data access rights, including procedures for revoking employee access to IT systems when they leave their job or change role; (f) encouraging users to use strong passwords, such as passwords with over fourteen characters, combination of upper and lower case letters, numbers and special characters; (g) automatic timeout and locking of user terminals if left idle; (h) monitoring and logging access to IT systems.

Availability and Back-up personal data

Each party has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated. Service Provider regularly backs-up information on IT systems and keeps back-ups in separate locations.  Back-ups of information are tested periodically.

Segmentation of personal data

Each party separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes.

Disposal of IT equipment

Each party has in place processes to securely remove all personal data before disposing of IT systems, and uses appropriate technology to purge equipment of data and/or destroy hard disks.

Encryption

Each party uses encryption technology where appropriate to protect personal data held electronically, including encryption of data where appropriate and encryption of company issued portable devices used to process personal data. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.

Transmission or transport of personal data

Appropriate controls are implemented by each party to secure personal data during transmission or transit, including, but not limited to: use of VPNs; SSL in transit; logging personal data when transmitted electronically; ensuring physical security for personal data as appropriate when transported.

Asset and Software management

Each party maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider: documents and implements rules for acceptable use of IT assets; proactively monitors software vulnerabilities and promptly implements any out of cycle patches.

Physical security  

Each party implements physical security measures to safeguard personal data. This may include  deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.

Staff training and awareness

Each party’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.

Each party requires:  staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); appropriate screening and background checks on individuals that have access to sensitive personal data; that Staff are subject to disciplinary measures for breaches of such party’s policies and procedures relating to data privacy and security.

Selection of service providers and commission of services

Each party assesses service providers’ ability to meet their security requirements before engaging them.  Each party has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Service Provider’s instructions.

Each party audits service providers (including subprocessors) that have access to such party’s data either through physical inspection by appropriately qualified security auditors or by reviewing its service providers’ security accreditation (such as ISO 27001 or SOC II) reports. Each party’s breach response protocol and agreements with its service providers provide for the audit of such service providers (and subprocessors) following receipt of any notice of a security incident from that service provider.

Part 2

Assistance with Data Subject Rights Requests

Liftoff has implemented appropriate policies and measures to identify and address data subject rights requests, including: (a)  maintaining accurate records to enable it to identify quickly all personal data processed on behalf of Client; (b) ensuring deletion and rectification requests are fully actioned.